Uploaded image for project: 'Swift'
  1. Swift
  2. SR-13346

Swift Package Manager Security Risk

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Medium
    • Resolution: Unresolved
    • Component/s: Package Manager
    • Labels:
      None
    • Environment:

      Should note that while I do have Xcode 12 betas installed, Xcode on the machine where I've reproduced this is installed from the App Store and xcode-select is using that version, not Xcode 12.

      Description

      Sorry if this isn't the correct place to report this but there's no issue tracker on the SPM repo and after writing a post about this issue someone pointed me to this Jira instance to report it here.

      I've found an easy way for anyone to execute arbitrary code via Swift Package Manager in the Package.swift file:

       

      let package: Package = {
        doSomething()
        return Package(...)
       }()
      func doSomething() {
      // Run any code in here as soon as the package is resolved, including anything from AppKit like NSWorkspace, or Foundation like FileManager, Process or URLSession.
      }
      

       
      The above code compiles and resolves correctly as a Package.swift file, and if hosted remotely somewhere like GitHub, the doSomething() function will be called as soon as it's resolved. Currently, that means in Xcode 11 it will call doSomething() silently before you've even finished adding the dependency since Xcode clones the repo and resolves the package before adding it to a target.

      Example repo: https://github.com/KaneCheshire/maleficent To reproduce:

      git clone https://github.com/KaneCheshire/maleficent
      cd maleficent
      swift build
      # note that `say` will speak a greeting to you by name

       
      I have no idea the best way to make this safer at a SPM level, but since it provides a way for people to silently execute code at the same privilege level that Xcode has (since it's running inside an Xcode process) I wanted to raise the issue asap.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            kanecheshire Kane Cheshire
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated: